IBM Gets Behind Snort, Expands Anomaly Detection

Since its debut in 1998, the open-source Intrusion Prevention System (IPS) known as Snort has become a popular platform for security signatures to protect enterprise IT assets. Today, IBM announced support for Snort signatures as part of an expanded security threat analytics capability that is designed to alert organizations to suspicious outbound traffic from infected "zombie" computers.

According to IBM, enterprises are increasingly exposed to new and advanced threats that may have already invaded the corporate network. In addition to support for Snort signatures, IBM's expanded Advanced Threat Protection Platform includes the QRadar Network Anomaly Detection appliance, which is designed to analyze network traffic and report suspicious behavior.

As to why IBM is now embracing Snort IPS signatures, it's a question of customer demand.

"Many of our customers are being mandated by their internal compliance groups to run a certain set of signatures," said John Cloonan, threat protection program director at IBM Security Systems, in an interview with eSecurity Planet. "These are open source Snort signatures that need to be run in the environment."

Advertisement

Cloonan noted that the problem that IBM customers have had with Snort is that they weren't left with the option of running IBM's IPS systems. IBM is also providing a user interface that enables customers to create their own signatures.

According to Cloonan, some very large customers came to IBM and said that they had to support the Snort signatures and were looking for IBM's help. However, the Snort signatures will not be a replacement for IBM's existing IPS threat detection technology.

"Customers don't need to take and deploy all the Snort signatures that are available today as that overlaps with the detection that IBM offers with their protocol analysis module," Cloonan said. "The need is for customers that are creating custom signatures for their own environments."

Network Anomaly Detection

The new QRadar Network Anomaly Detection appliance is all about understanding what is actually going on in the network, says Michael Applebaum, director of QRadar product marketing at IBM Security Systems. The appliance examines network traffic flows and correlates that that with user and server activity to get a full view of intrusion attempts and threats.

"Network Anomaly Detection looks at network flows down to the application layer and learns what is typical and customary network behavior," Applebaum said. "What is typical for a host, server, and user over time is established at baseline levels and then [the appliance] can easily flag anomalies that fall outside of typical ranges."

The network anomaly detection capability is a new subset of the QRadar Security Intelligence Platform that was announced in February. Applebaum noted that the anomaly detection system is specifically tailored for IPS deployments.

The overall goal of IBM's efforts with the threat detection system is to help enterprise organizations identify more threats. That said, Applebaum noted that there is no lack of data to analyze or threats to defend against in a modern IT infrastructure. The key challenge is distinguishing the noise from the signal, he said.

"The challenge is about efficiently managing security technology from an integration point of view and that's another area where we're tying to make it easier over time," Applebaum said.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.